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Abstract. Recently, arbitrated quantum signature (AQS) used for signing quantum 
messages was proposed. It was claimed that the AQS schemes could guarantee 
unconditional security. However, in this paper, we show that all the presented AQS 
0^ , protocols are insecure. Due to the use of quantum one-time pad encryption, the signer 

2.? ' Alice can always successfully acquire the receiver Bob's secret key and disavow any 

fvi . of her signatures. The detailed attack strategies and security analysis are described. 

l« * Furthermore, the original versions of the protocols are revised and the security of the 

f~*i ■ AQS protocols is improved accordingly. Besides, the presented method can also be 

against Alice's disavowal proposed by Gao et al. (Phys. Rev. A 84, 022344 (2011)). 
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1. Introduction 

Digital signature schemes allow a signer Alice who has established a public key to sign 
a message in such a way that any other party who know the public key can verify 
that the message originated from signer and has not been modified in any way and 
the signer cannot repudiate it later [lj. Digital signatures are commonly used for 
software distribution, financial transactions, and in other cases where it is important 
to detect forgery or tampering. However, digital signatures become increasingly 
vulnerable with more powerful quantum computation [21 [3] since their security is 
mostly based on the assumption of computational complexity. So, many scholars have 
begun to investigate quantum signature which is supposed to provide an alternative 
protocol with unconditional security. In 2002 Zeng and Keitel proposed an arbitrated 
quantum signature (AQS) which provides many merits [I], and they announced that the 
unconditional security is ensured by using the correlation of Greenberger-Horne-Zeilinger 
(GHZ) triplet states and quantum one-time-pads [5]. In 2009 Li et al. [6] presented an 
AQS scheme using Bell states, which reduces the complexity of implementation by using 
Bell states instead of GHZ states. Recently, Zou et al further simplified this protocol 
achieving AQS without entangled state [TJ. Both of them still preserve the merits in 
Zeng et al's protocol. 

Very recently Gao et al. show that these AQS protocols are not secure, and Bob 
can realize existential forgery of Alice's signature under known message attack [8J. In 
this brief report, we will show that the AQS scheme is completely insecure if quantum 
one-time pad [5] is used, Alice can always obtain Bob's secret key and disavow all 
her signatures successfully. Having Bob's secret key, Alice has the ability to change 
her signature into any message in her favor after she has sent the signature to Bob. 
Therefore, some improvements are provided to enable the AQS schemes to circumvent 
our presented attack. 

The remainder of this brief report is organized as follows. In Sec. [21 we analyze 
the security of the existing AQS protocols and present our attack. Then, in Sec. El we 
construct an AQS scheme similar to the scheme in Ref. [7J which can stand against the 
presented attacks and the disavow attack in Ref. [8]. The technique can also be used to 
improve the AQS scheme using entangled states [HE]. Finally, we give our conclusion. 

2. Security analysis for arbitrated quantum signature schemes 

We first introduce quantum one-time-pad algorithm, which is helpful to understand our 
attack strategies. Then the AQS protocol using Bell states [6] and without entanglement 
[7] are described briefly, and security analysis is demonstrated. 

2.1. A. Quantum one-time pad algorithm 

For convenience, Ek denotes the quantum one-time pad (QOTP) encryption [5] and 
the key is K £ {0, 1}*, K > 2n. The QOTP encryption E^ on the quantum message 
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\P) = \pi) <E> \p2) <S> • • • <S> |p n ) w ^h |pi) = «i|0) + /3j|l) can be described by 

ic)=^i^)=(R)^ 2 vr" i b,), (i) 



where K^ denotes the jth bit of K, and a x and a z are Pauli operations. The 
corresponding decryption D K is 



n 



D K \C) = Q$c-r ar\ci), (2) 

j=i 

where |q) denotes the ith qubit of the ciphertext \C). 

2.2. B. AQS scheme using Bell states 

The AQS protocol using Bell states [6] is as follows. 

Initializing phase. 

Alice and Bob share a key with the arbitrator through quantum key distribution 
protocols, i.e., Ka and K B respectively, and they also share n Bell states \(f> + ) = 
-4?(|00) + |11))ab, where the subscripts A and B correspond to Alice and Bob, 
respectively. 

Signing phase. 

51. Alice obtains three copies of the quantum message \P) = <^>2=i\Pi) to be signed. 

52. Using the key Ka, Alice transforms one copy of \P) into \Ra), i-e., \Ra) = 
Mk a \P). We notice that Mk a denotes a unitary operator, and it may be either 
commutative or non- commutative with other quantum operators. In Ref. [9], the author 
gave an example to show how the quantum state \Ra) is generated by Alice, 

\R a ) = M Ka \P) 

n n 

= (g) M K i A \ Vi ) = <g) a l ® K KT A \Pi)i (3) 

8=1 t=l 

where K A is the ith bit of Ka, but it does not mean that Eq. ([3]) is the only format of 
Mx A ■ The purpose of this example is to present a detailed mathematical formulation of 
generating the state Ra- As Gao et al. has shown that if Mk a is commutative with other 
quantum operators, existential forgery attack is demonstrated [8j. So non-commutative 
property should be included in Mk a [TO] . 

53. Alice combines each qubit in the second copy of \P) and the Bell state by 
carrying out a joint measurement on both states and obtains the three-particle entangled 
state, 



I0i) = |ft> ® \<t>t) 
\{\<P + )A{a„ 

+ |^ + )A(a,|l) + A|0))b + |^-)A(ai|l> - Pi\0)) B }, 



\{\<P + )A(am + A|1))b + \<f>-)A(oi\0) - 0i\l)) B 



(4) 
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where \(J) + )a, l^ - )^, \^ + ) a and \4>~)a are the four Bell states [TT]. Then she 
implements a Bell measurement on each three-particle entangled state \4>i), obtaining 
the measurement result \M.a) = ® t i=i\M 1 a)i where \M.\) are random Bell states. The 
role of \M-a) is to help Bob to retrieve the second copy of message \P) by teleportation 
via Bell states previously shared between them. 

54. Alice generates the signature \S) = E Ka {\M. a ),\R a )) of message \P) by 
encrypting \M.a) an d \Ra) with the secret key Ka- 

55. Alice transmits the signature \S) and the third copy of message \P) to Bob. 
Verifying phase. 

VI. Bob encrypts \S) and \P) using the key Kb, obtaining \Yb) = Ek b (\S), \P)), 
and sends it to the arbitrator. 

VI. The arbitrator decrypts the received ciphertext \Yb) with Kb and Ka, getting 
\Ma), \Ra) an d \P). Then the arbitrator sets the verification parameter V = 1 if 
\Ra) — M Ka \P); otherwise he sets V — 0. Quantum state comparison was discussed in 
detail in Ref. [6]. 

V3. The arbitrator can recover \S) and \P) as the compared states can be recovered 
after the comparison if they are indeed equal. As \/Aa) are Bell states, it can 
be distinguished and replicated many copies. Then he sends the encrypted results 
\Y TB ) = E Kb {\M a ), \S), \P),V) to Bob. 

V4. Bob decrypts the received \Ytb) and judges whether V = 1. If not, he considers 
that the signature is forged and stops the protocol. 

V5. According to \A4a), Bob can restore the second copy of \P) via teleportation 
by Alice. Then he compares it with the copy received from the arbitrator and accepts 
the signature when they are equal; otherwise he considers that the signature has been 
forged and rejects it. 

2.3. C. AQS scheme without entanglement 

In 2010, Zou et al. pointed out that the AQS scheme using Bell states can be repudiated 
by the receiver Bob, and they improved the AQS scheme by using a public board to 
conquer this shortcoming. Only the following two things are needed to do: 

(1). In the signing phase, Alice first chooses a random number r G {0, l} 2n and 
transforms all \P) into secret qubit strings \P) = E r (\P)). Then they use \P ) instead 
of \P) in all following steps. 

(2). In the verifying phase, Bob informs Alice by the public board to publish r after 
he finished his verifying. Then, Alice publishes r by the public board. Finally, Bob gets 
back \P) from \P ) by r and holds (|5), r) as Alice's signature for the quantum message 
\P). 

In Ref. [7], the author also said that in order to achieve a higher efficiency in 
transmission, they do the following improvement: 

(3). In step VI, Bob does not send his measuring result |7Wa) to the arbitrator, 
and the arbitrator need not send it back. In addition, the arbitrator informs Alice and 
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Table 1. Relations of Alice's key Ka, \Ma) and E Ka <g> I\Ma) 

K a \\Ma) \4> + ) \<t>~) W + ) \1>~) 
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Bob by the public board to abort the scheme if he found the signature being forged. 

Zou's AQS scheme without using entanglement [7j is as follows. 

Initializing phase 

Three keys Kab, Ka and Kb are shared between Alice and Bob, Alice and the 
arbitrator, Bob and the arbitrator respectively. 

Signing phase 

51. Alice obtains three copies of the quantum message |P) = ®f = i|pi), and encrypts 
each of them into \P ) using a random number r as the key. 

52. Alice performs the following encryptions \Rab) = Ek ab \P ), \Sa) = Ek a \P ), 
and sends \P), \Rab) and \Sa) to Bob. 

Verifying phase 

VI. Bob sends \Yb) = Ek b {\P ), \Sa)) to the arbitrator. 

VI. The arbitrator decrypts \Y B ) and verifies whether \Sa) = E Ka \P). If the 
equation holds, he sets the verification parameter Vt = 1; otherwise he sets Vp = 0. He 
announces the verification parameter Vt by the public board and regenerates \Yb) and 
sends it back to Bob. 

V3. If Vt — 0, Bob rejects the signature; otherwise he decrypts \Yb) and verifies 
whether E Kab \P ) = \Rab)- If E Kab \P ) = \Rab), he sets the verification parameter 
Vb = 1; otherwise he sets Vb = 0. He announces the verification parameter Vb by the 
public board. 

V4. If Vb = 1, Alice publishes r by the public board, and Bob gets back \P) from 
\P ) by r and stores (15^),?") as Alice's signature for the quantum message |P). 

2.4- D. Security analysis of the AQS schemes 

In the remainder of this subsection, we'll show that the AQS schemes are insecure. 
Because Alice can obtain Bob's secret key and deny her signature successfully by the 
property of QOTP encryption [5]. 

2.4-1. 1. Alice's general attack on AQS scheme without entanglement We describe 
Alice's general attack in detail in the following. 

Her attack begins in step 52. Alice prepares an ordered n Bell states \<p + ) = 
4j(|00) + \11))th, where the subscripts T and H denote different particles. We 
denote the n ordered Bell states with (Ti, Hi), (T 2 , H 2 ), (T 3 , H 3 ), ■ ■ ■ , (T n , H n ), where 
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the subscripts indicates the pair order in the sequence. Alice takes one particle from 
each Bell state to form an ordered particle sequence which is denoted by \T) = 
(Ti, T 2 , T 3 , • • • , T n ). The remaining particles compose another particle sequence \H) = 
(Hi, H 2 , H 3 , ■ ■ ■ , H n ). Alice performs the following encryptions \Rab) = E Kab \P), 
\Sa) = Ek a \P), and sends \T), \Rab) and \Sa) instead of \P), \Rab) and \Sa) to 
Bob. As Alice transforms the quantum message \P) into \P ) using a random number 
r, \P ) will be known to nobody. Furthermore, non-orthogonal states can't be reliably 
distinguished. Therefore, Bob won't notice Alice's attack and accepts \T) as the signed 
message. 

In the verifying phase, Bob sends |Yg) = Ek b (\T),\Sa)) to the arbitrator for 
verification. Alice intercepts it, obtaining Ek b \T). Then Alice can learn Bob's secret key 
Kb exactly by performing Bell-basis measurement on Ek b \T) and \H) simultaneously, 
which can refer to TABLE [1] and Ref. [5]. For example, if (T,H) = |0 + ) and 
(E Kb T, H) = \tp+), the secret key K B = 10. 

Alice generates \Y B ) = Ek b (\P ), \Sa)) by encrypting \P ) and \Sa)) using the key 
Kb, and sends it to the arbitrator. When the arbitrator announces the verification 
parameter Vt = 1 by the public board and sends \Y B ) = Ek b (\P ), \Sa)) back to Bob in 
step V2, Alice intercepts it. Then Alice randomly selects a quantum message \P ) where 
\P") ^ \P') and generates \S') = E Ka \P"). Then Alice sends \Y B ) = E Kb (\P'), \S' a )) to 
Bob. Bob will accept this signature without noticing Alice's attack in step V3 and VA. 
When dispute appears Bob requires to make a judgment by providing (\P), \S ),r) to 
the arbitrator. Then the arbitrator generates \P ) by encrypting \P) using r, and verifies 
whether \S ) = Ek a \P ). Obviously the modified signature will not pass verification, 
and hence Alice denies having signed the message successfully. 

2.4-2. 2. Alice's general attack on AQS schemes with entanglement Now, we show 
that the above attack is more powerful than the presented attack in Ref. [8]. Because 
the AQS schemes using entanglement [H [6j are total insecure with the above attack 
strategy, i.e., Alice can completely obtain Bob's secret key and change her signature for 
any message in her favor, which is described explicitly as follows. 

We take the AQS scheme using Bell states as an example. Similar to the above 
attack, Alice prepares an ordered 4n Bell states |</> + ) = 4=(|00) + \11))th, where the 
subscripts T and H denote different particles. We denote the 4n ordered Bell states with 
(Ti, Hi), (T 2 , H 2 ), (T 3 , H 3 ), ■ ■ ■ , (T 4n , JT 4n ), where the subscripts indicates the pair order 
in the sequence. Alice takes one particle from each Bell state to form an ordered particle 
sequence which is denoted by \T) = (Ti,T 2 , T 3 , ■ ■ ■ , T 4n ). The remaining particles 
compose another particle sequence \H) = (Hi, H 2 , H 3 , ■ ■ ■ , H in ). Then she send the 
\T) = (Ti,T 2 ,T 3 , ■ ■ ■ , Ti n ) as the signature and the signed message instead of \S) and 
\P) to Bob in step S5. In the verifying Phase, Bob encrypts \T) = (Ti,T 2 , T 3 , • • • , T 4n ) 
using the Kb obtaining \Yb) and sends it to the arbitrator. Then Alice can completely 
access Bob's secret key Kb using the similar method as described above. After having 
Bob's secret key, Alice has the ability to change her signature into any message. Alice 
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chooses the message \P ) in her favor and generates the signature \S ), and encrypts 
them using Bob's secret key, i.e., \Y B ) = E Kb (\P ), \S )). Then she sends \Y B ) to the 
arbitrator. It is easy to see that Bob will accept \P), \S ) as a valid signature. 

It should be stressed that the security of the arbitrator quantum signature is 
based on the chosen symmetric-key encryption scheme and the shared secret key of 
the participants. The reasons of our presented attack more powerful than the Gao's 
attack j8] are: on the one hand, if Alice obtains Bob's secret key, then Alice can change 
her mind about the message \P) in her favor, which is not fair to Bob and not allowed 
in classical digital signature; on the other hand, if the secret key is obtained by Eve, the 
scheme will be totally insecure in cryptography, which is also known as total break, i.e., 
Alice can forge signatures for any message, while Gao's attack is only existential forgery 
attack [8] . Furthermore, in step S2 of AQS scheme using Bell states, we have pointed 
out that the existential forgery attack will not exist if non- commutative property is 
included in M Ka [10]. 

3. A secure AQS scheme without using entangled states 

We have analyzed that the existing AQS schemes [U EJ [7] are totally insecure. And 
from Ref . [7J , we know that the AQS scheme without using entangled states reduces the 
complexity of implementing the scheme and maintains all other merits of AQS scheme 
using Bell states [6] and the AQS scheme using GHZ states [I]. Therefore, in this 
section, we present a new AQS scheme without using entangled states that can avoid 
above attack and preserves all the merits of AQS scheme of Ref. [7J. 

As known to all that a secure arbitrated quantum signature should satisfy two 
conditions: one is that the signature should not be forged by the attacker (including the 
malicious receiver and the not fully trusted arbitrator) and the other is the impossibility 
of disavowal by the signatory and the receiver. In the AQS scheme without using 
entangled states [7J, Alice sends \P ), \Rab) and \Sa) to Bob in step S2. \Rab) is used 
to prevent the arbitrator from forge Alice's signature as he is not fully trusted by Alice 
and Bob, and K~ab is kept secret from him; \Sa) is used for avoiding Bob forging her 
signature as he does not have Alice's secret key K~a, meanwhile, the secret key Ka is 
included in \Sa) which will also prevent Alice from repudiating her signature; \P } is 
used to avoid being disavowed by Bob. Therefore, \P ), \Rab) and \Sa) are essential to 
achieve a secure signature. 

Alice is able to deny her signature and obtain Bob's secret key because Bob has not 
verified the validity of the signed message \P } in step VI. We notice that \P ) may be 
replaced by some entangled states, and Alice obtains Bob's secret key by the property of 
quantum one-time pad, so she can deny her signature and change the original message 
into any other message in her favor. To avoid being disavowed and forged by Alice, Bob 
must verify the validity of the signed message \P ) before he sends it to the arbitrator 
in step VI. 

Gao et al. [8] showed that Alice can disturb the signature \Sa) when the arbitrator 



Improvements on the security of arbitrated quantum signature protocols 8 

sends the \Y B ) back to Bob in step V2. As only \Sa) is modified by Alice and \Sa) 
is not useful for Bob's verification in step V3, Bob will accept this signature as a 
valid one. However, when dispute appears, Alice can always successfully disavow her 
signature because the disturbed signature will not pass the arbitrator's verification. 
However, Gao's attack is actually a special DOS attack which is inevitable in all 
existing protocols. And one of important property of the quantum signature is to ensure 
the integrity (or authenticity) of transmitted quantum messages. Adding a quantum 
message authentication to the quantum signature protocol [8] may be not a proper way 
for secure quantum signature. 

We notice that \Sa) is completely indistinguishable to Bob, when he receives the 
modified \Sa) he cannot verify its validity. That is the main reason why Alice's disavow 
is always successful. To avoid Gao's attack, Bob need authenticate the validity of the 
\Sa) when he receives it back from the arbitrator. We give a simple method to verify the 
validity of the the \Sa) when Bob receives it back from the arbitrator, thereby avoiding 
Gao's attacks. The AQS scheme is specified in the following. 

Initializing phase 

Three keys Kab, Ka and Kb are shared between Alice and Bob, Alice and the 
arbitrator, Bob and the arbitrator respectively. The lengths of these keys depend on 
the chosen cryptographic algorithms in the signing and verifying phases. 

Signing phase 

51. Alice obtains four copies of the quantum message \P) = <8>" =1 |pi), and 
transforms each of them into \P ) using a random number r as the key, i.e., \P ) — M T \P) 
where M r is a non- commutative unitary operator. 

52. Alice performs the following encryptions \Rab) = Ek ab \P ), \Sa) = Ek a \P ), 
\Sa) = E Ka \P ) and sends \P ), \Rab), \Sa) and \Sa) to Bob. Note that there are two 
copies of \Sa) (in order to facilitate the expression, we denote them \Sa)i and \Sa)2 
respectively), one \Sa)i for the arbitrator to verify the validity of the signature, the 
other \Sa)2 is used to against Alice's disavowal proposed by Gao et al. [8]. 

Verifying phase 

VI. Before Bob sending \Y B ) = E Kb {\P ), \Sa)i) to the arbitrator for verification, 
he verifies the validity of the \P ) and \Sa) first. If \Rab) = Ek ab \P ) and the two copies 
of \Sa) are identical, he believes that Alice is honest and send \Y B ) to the arbitrator; 
otherwise, he terminates the protocol and rejects the signature. Note that Bob keeps 
one copy of \Sa) in his hand and it will be used to verify whether the signature sent to 
the arbitrator is modified by Eve. 

V2. The arbitrator decrypts \Yb) and verifies whether \Sa)i = Ek a \P). If the 
equation holds, he sets the verification parameter Vp — 1; otherwise he sets Vr = 0. He 
announces the verification parameter Vr by the public board and regenerates |Yg) and 
sends it back to Bob. 

V3. If Vr — 0, Bob rejects the signature; otherwise he decrypts \Yb) and verifies 
whether Ek ab \P) = \Rab) and \Sa)i = \Sa)2- If both of them hold, he sets the 
verification parameter Vb = 1; otherwise he sets Vg = 0. He announces the verification 
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parameter V B by the public board. 

V4. If Vb = 1, Alice publishes r by the public board, then Bob gets back \P) from 
\P ) by r and he accepts the signature \Sa) of the message \P) and stores (\P), \Sa), \Sa)) 
for resolving disputes when Alice disavows her signature. 

According previous analysis, the new specific AQS scheme without entangled states 
is secure, i.e., it is secure against our presented attack and Gao's attack j8] and maintains 
all the merits of the existing AQS schemes [U EJ ?]. Furthermore, we give a specific 
protocol while Gao just give a possible improvement method and our protocol is easier to 
be implemented than the improved AQS scheme with quantum message authentication 
of Ref. [8]. Similarly, the AQS schemes using entangled states [HE] can also be improved 
by the above method. 

4. Conclusion 

In this brief report, we present a general attack which shows that the existing AQS 
protocols [U El E] are insecure because Alice can obtain Bob's secret key and disavow 
any message she ever signed and forge signatures for any message in her favor. And we 
improve the AQS schemes to against all the attacks. To avoid Alice obtaining Bob's 
secret key, Bob must firstly verify the validity of the signed message before he sends it 
to the arbitrator. Note that our presented AQS scheme, on the one hand, can avoid 
being disavowed and forged by malicious Alice, on the other hand, preserves all merits 
of the existing schemes [H El II]- 

Acknowledgment s 

This work is in part supported by the Key Project of NSFC-Guangdong Funds 
(No.U0935002). 

References 

[1] Katz, Jonathan and Lindell, Yehuda 2007 Introduction to Modern Cryptography Chapman & 

Hall/Crc Cryptography and Network Security Series 
[2] P. W. Shor 1994 Algorithm for quantum computation: Discrete logarithm and factoring algorithm 

Proceedings of the 35th Annual Symposium on Foundations of Computer Science (IEEE 

Computer Soceity Press, Los Alamos, CA) 124 
[3] Lov K. Groverl996 A fast quantum mechanical algorithm for database search In Proceedings of 

28th Annual ACM Symposium on Theory of Computing (New York) 212-219 
[4] Zeng, Guihua and Keitel, Christoph H. 2002 Arbitrated quantum-signature scheme Phys. Rev. A 

65 042312 
[5] Boykin, P. Oscar and Roychowdhury, Vwani 2003 Optimal encryption of quantum bits Phys. Rev. 

A 67 042317 
[6] Li, Qin and Chan, W. H. and Long, Dong- Yang 2009 Arbitrated quantum signature scheme using 

Bell states Phys. Rev. A 79 054307. 
[7] Zou, Xiangfu and Qiu, Daowen 2010 Security analysis and improvements of arbitrated quantum 

signature schemes Phys. Rev. A 82 042325 



Improvements on the security of arbitrated quantum signature protocols 10 

[8] Gao, Fei and Qin, Su-Juan and Guo, Fen-Zhuo and Wen, Qiao-Yan 2011 Cryptanalysis of the 

arbitrated quantum signature protocols Phys. Rev. A 84 022344 
[9] Zeng, Guihua 2008 Reply to "Comment on 'Arbitrated quantum-signature scheme' " Phys. Rev. 
A 78 016301 
[10] Jeong Woon Choi, Ku- Young Chang, Dowon Hong 2011 arXiv:1106.5318vl 

[11] Kwiat, Paul G. and Mattle, Klaus and Weinfurter, Harald and Zeilinger, Anton and Sergienko, 
Alexander V. and Shih, Yanhua 1995 New High-Intensity Source of Polarization-Entangled 
Photon Pairs Phys. Rev. Lett. 75 4337-4341 



